General
-
Target
AnyDeskEN.7z
-
Size
6MB
-
Sample
220816-wlc17sfbh7
-
MD5
e91381cfc4ec3cb6038d56b547cea420
-
SHA1
9c8add80f14a2a83b666f3ed5098b8730738b545
-
SHA256
94d40a523f9368e882a2a31d49442682482684f79cda5b66a65f866925091792
-
SHA512
5ba801033bc43b57b7fd94d15c70e71a2199c7ae088ef0f0a6a4c6dd7e47159d9be599fa6dafd2be1a22aaf2e5d408ec3d5fd973dceb01ed507314c491a50120
-
SSDEEP
196608:/yrt9xp4TfLMD5kszUd6cs/Q0LQUFZahhq:/yrD/4TTK5ksQdyX7ah0
Static task
static1
Behavioral task
behavioral1
Sample
AnyDeskEN.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
AnyDeskEN.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Path |
C:\Restore-My-Files.txt |
Family |
darkylock |
Ransom Note | ---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to darkysupp@tuta.io 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ $> Life is too short to be sad. Be not sad, money, it is only paper <$ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!! |
Emails |
darkysupp@tuta.io |
Wallets |
1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i |
Targets
-
-
Target
AnyDeskEN.exe
-
Size
6MB
-
MD5
81a222d0d359ab9104a587a08786abbc
-
SHA1
4b251260608828f6ce41f4244dcdb8ebe1e5a0b4
-
SHA256
1a9b00b4d133278901dc941c88bd83708782fa93293b00f775a7ebff4dc8d26a
-
SHA512
310b05803327b1c1ec343918cff097b1f63c75d7ff704bffa7ee15cd22925fd6d6a5d32f6276e46706d810f656a28868cae3feb0c5d14b87e30ca288d5a81642
-
SSDEEP
98304:olgps0DrlKJ+vUYhWlO8M2xT6pX2fvnY8nIoVgUrWLHJ8Z3USv+7iBlnlpHZuhE2:o6wJ6b58M5pWnY6Io3WknfTBJ
Score10/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation